In part 1, we looked at how security questions are generally insecure for several reasons and highlighted some of the challenges that we face to improve security. The next step is to look specifically at suggestions for adapting to what are several broken business processes and inadequate IT solutions. We start with what happens when someone calls you and asks to take you through security questions – ‘What?! You called me!’
If someone calls you and tells you they need to take you through security questions, do not comply. If they are calling you, you should be the one confirming their identity. There are many approaches.
- Tell the caller that you will call them back. Always use a telephone number provided to you in official correspondence or use a publicly available contact telephone number for the company allegedly calling you.
- The caller may attempt to give you a telephone number to call. Never use this number. If the call is fraudulent, then the number provided will also be fraudulent.
- After the call, always make a call to a known number such as a family member or a friend. This action ensures disconnection from the previous telephone call. With some telephone systems, the connection remains active after hanging up. Picking up the phone and dialling a genuine number can result in a continuation of the previous call.
- If you receive a text message asking you to call your bank or another company about an urgent matter, never use the telephone number provided in the text.
- Even if the Caller ID shows up as a genuine number, that you recognise, it is worth following the same process to avoid faked Caller IDs.
There is an assumption that an organisation calling you has exclusivity over making sure they are speaking to the right person. You can test this yourself next time you receive a call by trying to take them through security. When they call you, ask them to confirm the 2nd and 5th digit of your customer number or some other obscure question which the caller would have access to if they were genuine. The point here is not to get them to comply, but to demonstrate that they will not comply. They will, however, try and insist that you comply.
The security is a failing in the way the business set up their processes, and it is so embedded in people’s thinking that this is the way the process works, that fraudsters can step in and mimic the process to obtain access to sensitive information. In recent years we have seen notifications from financial institutions stating, ‘We will never ask you for your PIN’. The next step on this matter would be for corporations to say ‘We will never call you and ask you security questions’.
In part 3, we will look more at security questions and how the entire security model around the use of security questions has a limited shelf life.
Robert is an information security consultant with over 20 years of experience across various organisations, both in the United Kingdom and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Contact Robert directly through Linked In.